1 Answer
1

It makes no sense to keep the password secret from the recipients of the group email, since each of them can initiate and complete the password reset process and set the password to whatever they like. If the account in question is not supposed to be accessible for all members of the email group, it should be changed to refer to a personal email address instead of a group one.

If you actually intend for all members of the email group to know the password, you will need to have some channel for distributing the new password to all members, regardless of the mechanism you implement for the actual change. Email is OK if you can count on public key crypto and make sure only the actual authorized recipients will be able to read the password, or if it is not a very critical system you can just ignore security best practices and just send the new password in plain-text email.

Note that any password-reset-over-email scheme is inherently as insecure as email communication; even the initial reset-link, if intercepted, can be used to gain access to the account in question just as the genuine recipient of the email would.
–
lanzzMay 28 '12 at 9:27